About Configuring the Database Firewall

Configuring each Database Firewall's system and network settings depends on your overall plan for deploying Oracle Audit Vault and Database Firewall. See "Planning the System Configuration" for an overview of the planning steps.

When you configure each firewall, you identify the Audit Vault Server that will manage that firewall. Depending on your plan for the overall Oracle AVDF system configuration, you also configure the firewall's traffic sources, and determine whether it will be inline or out of band with network traffic, and whether you will use it as a proxy.

CAUTION:

The Audit Vault Server and the Database Firewall server are software appliances. You must not make any changes to the Linux operating system through the command line on these servers unless following official Oracle documentation or under guidance from Oracle Support.

After you have configured the Database Firewalls, you configure enforcement points for each database secured target that the firewall is protecting. See "Configuring Enforcement Points" for details on these procedures.

Configuring a Database Firewall's Network Settings

The installer configures initial network settings for the Database Firewall during installation. You can change the network settings after installation.

To change the Database Firewall network settings:

Log in to the Database Firewall administration console.

In the System menu, select Network.

In the Network Configuration page, click the Change button.

In the Management Interface section, complete the following fields as necessary, then click Save.

IP Address: The IP address of the currently accessed Database Firewall. An IP address was set during installation. If you want to use a different address, then you can change it here. The IP address is static and must be obtained from the network administrator.

Network Mask: The subnet mask of the Database Firewall.

Gateway: The IP address of the default gateway (for example, for internet access). The default gateway must be on the same subnet as the host.

Name: Enter a descriptive name for this Database Firewall. The name must be alphanumeric with no spaces.

Link properties: Do not change the default setting unless your network has been configured not to use auto negotiation.

Configuring a Database Firewall's Network Services

The network services configuration determines how users can access the Database Firewall. See the guidelines in "Protecting Your Data" to ensure that you take the appropriate security measures when configuring network services.

To configure a Database Firewall's network services:

Log in to the Database Firewall administration console.

In the System menu, select Services.

Click the Change button, and in the Configure Network Services page, edit the following as necessary:

DNS Servers 1, 2, and 3: If you require hostnames to be translated, you must enter the IP address of at least one DNS server on the network. You can enter IP addresses for up to three DNS servers. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

Web Access: If you want to allow selected computers to have Web access to the Database Firewall administration console, enter their IP addresses separated by spaces. Entering all allows access from any computer in your site.

SSH Access: If you want to allow selected computers to have secure shell access to the Database Firewall, enter their IP addresses separated by spaces. Enter disabled to block all SSH access. Enter all to allow unrestricted access.

SNMP Access: If you want to allow access to the network configuration of the Database Firewall through SNMP, enter a list of IP addresses that are allowed to do so, separated by spaces. Enter disabled to restrict all SNMP access. Enter all to allow unrestricted access. The SNMP community string is gT8@fq+E.

Click Save.

Setting the Date and Time in the Database Firewall

To set the Database Firewall date and time:

Log in to the Database Firewall administration console.

Click Date and Time from the System menu on the left, and then scroll down and click the Change button.

Enter the correct date and time in Coordinated Universal Time (UTC).

(Optional) Select Enable NTP Synchronization.

Selecting Enable NTP Synchronization keeps the time synchronized with the average of the time recovered from the time servers specified in the Server 1, Server 2, and Server 3 fields, which can contain an IP address or name. If a name is specified, the DNS server specified in the System Settings page is used for name resolution.

Test Server displays the time from the server, but does not update the time.

Selecting Synchronize Time After Save causes the time to be synchronized with the time servers when you click Save.

WARNING:

In DPE (blocking) mode, Synchronize Time After Save causes all enforcement points to restart, thereby dropping existing connections to protected databases. This would cause a temporary traffic disruption.

Click Save.

Specifying the Audit Vault Server Certificate and IP Address

You must associate each Database Firewall with an Audit Vault Server by specifying the server's certificate and IP address, so that the Audit Vault Server can manage the firewall. If you are using a resilient pair of Audit Vault Servers for high availability, you must associate the firewall to both servers.

Note: You must specify the Audit Vault Server certificate and IP address to the Database Firewall (by following the procedure below) before you register the firewall in the Audit Vault Server.

To specify the Audit Vault Server certificate and IP address:

Log in to the Audit Vault Server as an administrator, and then click the Settings tab.

In the Security menu, click Certificate.

The server's certificate is displayed.

Copy the server's certificate.

Log in to the Database Firewall administration console.

In the System menu, click Audit Vault Server.

Enter the IP Address of the Audit Vault Server.

Paste the Audit Vault Server's Certificate in the next field.

If you are using a resilient pair of Audit Vault Servers, select the Add Second Audit Vault Server check box, and enter the IP address and certificate of the secondary Audit Vault Server.

Tip:

The secondary Audit Vault Server does not have a console UI. However, you can get the secondary server's certificate from the primary server: click the Settings tab, then High Availability from the System menu. The secondary server's certificate is in the Peer System Certificate field.

Configuring Database Firewalls on Your Network

About Configuring the Database Firewalls on Your Network

During your planning of the network configuration, you decide whether to place Database Firewalls inline with traffic to your secured target databases, or out of band (for example, using a spanning or mirror port). You may also decide to use a firewall as a traffic proxy. The network configuration is impacted by whether the Database Firewall will operate in DAM (monitoring only) or DPE (blocking) mode. See "The Database Firewall" for information on these modes.

Using the Database Firewall administration console, you configure each firewall's traffic sources, specifying whether the sources are inline with network traffic, and whether the firewall can act as a proxy.

You will use a firewall's traffic and proxy sources to configure enforcement points for each secured target database you are monitoring with that firewall. See "Configuring Enforcement Points" for details.

Configuring Traffic Sources

Traffic sources specify the IP address and network interface details for the traffic going through a Database Firewall. Traffic sources are automatically configured during the installation process, and you can change their configuration details later.

To remove a network interface (i.e., network card) from the traffic source, in the Devices area, click the Remove button for a device.

To add a network interface to a traffic source, scroll to the Unallocated Network Devices section, and from the Traffic Source drop-down list, select the name of the traffic source to which you want to add this device.

Click Save.

Configuring a Bridge in the Database Firewall

The Database Firewall must be inline with network traffic if used in blocking mode to block potential SQL attacks. If the Database Firewall is not in proxy mode, then you must allocate an additional IP address that is unique to the database network, to enable a bridge. The bridge IP address is used to redirect traffic within the Database Firewall. When the Database Firewall is used as a proxy, you do not need to allocate this additional IP address. See "Configuring a Database Firewall as a Traffic Proxy" for details.

To enable a traffic source as a bridge, that traffic source must have two network interfaces. These network interface ports must connect the Database Firewall in-line between the database and its clients (whether Database Policy Enforcement or Database Activity Monitoring mode is used).

Note:

The IP address of the bridge must be on the same subnet as all protected databases deployed in DPE mode on that bridge. This restriction does not apply to protected databases deployed in DAM mode.

If the Database Firewall's management interface (specified in the console's Network page) and the bridge are connected to physically separate networks that are on the same subnet, the Database Firewall may route responses out of the wrong interface. If physically separate networks are required, use different subnets.

To configure the Database Firewall bridge IP address:

Log in to the Database Firewall administration console.

In the System menu, click Network, and then click the Change button.

In the Traffic Sources section, find the traffic source that you want to configure as a bridge.

This traffic source must have two network interfaces. You can add an interface if necessary from the Unallocated Network Interfaces section of the page. See "Configuring Traffic Sources".

Select Bridge Enabled for this traffic source.

If necessary, edit the IP address or Network Mask.

The bridge IP address is used to redirect traffic within the Database Firewall.

Click Save.

Configuring a Database Firewall as a Traffic Proxy

Depending on your network configuration, you may prefer to configure a traffic proxy in the Database Firewall instead of a bridge inline with network traffic. You can then associate the proxy with an enforcement point. You can also specify multiple ports for a proxy in order to use them for different enforcement points. See "Configuring Enforcement Points" for more information.

Once you set up the Database Firewall as a traffic proxy, your database clients connect to the database using the Database Firewall proxy IP and port.

To configure a traffic proxy:

Ensure that the IP address of the proxy interface is on the same subnet as the secured target.

Log in to the administration console of the Database Firewall that is acting as a proxy.

In the System menu, click Network, then click the Change button.

In the Unallocated Network Interfaces section of the page, find an available network interface, and select Traffic Proxy in Traffic Source drop-down list.

To free up additional network interfaces, you can remove them from an existing traffic source or traffic proxy by clicking the Remove button for the network interface(s) you want to free up.

Click Add.

The new traffic proxy appears under the Traffic Proxies area of the page.

Under the new proxy, select Enabled.

In the Proxy Ports section for the new proxy, enter a Port number, and then click Add.

You can specify more than one port per proxy by entering another port number and clicking Add.